Skip to main content

IC84752: SECURITY: STACK BUFFER OVERFLOW VULNERABILITY IN JAVA STORED PROCEDURE INFRASTRUCTURE (CVE-2012-2197).


Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • A stack buffer overflow vulnerability in Java Stored Procedure
infrastructure could be exploited to attain remote code
execution.

To exploit the vulnerability the malicious user would need:
1) Valid credential to connect to database
2) CONNECT privilege on database
3) A Java stored procedure to which the user has EXECUTE
privilege.

Local fix

  •  
    • 
  
 
  
Problem summary
 
  
     
   
  • ****************************************************************
* USERS AFFECTED:                                              *
* All DB2 systems on all Linux, Unix and Windows platforms at  *
* service levels from Version 9.5 GA through to Version 9.5    *
* Fix Pack 9.                                                  *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* See Security Bulletin: Buffer Overflow Vulnerability in IBM  *
* DB2 Java Stored Procedure Infrastructure                     *
*                                                              *
* (CVE-2012-2197).                                             *
* http://www.ibm.com/support/docview.wss?uid=swg21607628       *
****************************************************************
* RECOMMENDATION:                                              *
* Refer to the following security bulletin to evaluate the     *
* potential impact in your environment.                        *
* Security Bulletin: Buffer Overflow Vulnerability in IBM DB2  *
* SQL/PSM Stored Procedure Infrastructure (CVE-2012-4826).     *
* http://www.ibm.com/support/docview.wss?uid=swg21614536       *
****************************************************************

     
    • 
  
 
  
Problem conclusion
 
  
     
   
  • An incomplete fix for this problem was introduced in DB2 Version
9.5 Fix Pack 10.
The fix for APAR IC86765 will complete the fix.
See Security Bulletin: Buffer Overflow Vulnerability in IBM DB2
SQL/PSM Stored Procedure Infrastructure (CVE-2012-4826).
http://www.ibm.com/support/docview.wss?uid=swg21614536

     
    • 
  
 
  
Temporary fix
 
  
     
   
  •  
    • 
  
 
  
Comments
 
  
     
   
  •  
    • 
  
 
  
APAR Information
 
  
 
   
     
    
  • APAR number
    IC84752
    •  
    
  • Reported component name
    DB2 FOR LUW
    •  
    
  • Reported component ID
    DB2FORLUW
    •  
    
  • Reported release
    950
    •  
    
  • Status
    CLOSED PER
    •  
    
  • PE
    NoPE
    •  
    
  • HIPER
    NoHIPER
    •  
    
  • Special Attention
    NoSpecatt
    •  
    
  • Submitted date
    2012-06-19
    •  
    
  • Closed date
    2012-08-21
    •  
    
  • Last modified date
    2012-12-19
    •  
   
 
  
 
  
     
   
  • APAR is sysrouted FROM one or more of the following:
     
     IC84555
     
    •  
   
  • APAR is sysrouted TO one or more of the following:
     
    •  
  
 
  
Fix information
 
  
     
   
  • Fixed component name
    DB2 FOR LUW
    •  
   
  • Fixed component ID
    DB2FORLUW
    •  
  
 
  
Applicable component levels
 
  
     
   
  • R910 PSN
       UP
    •  
   
  • R950 PSN
       UP
    •  
   
  • R970 PSN
       UP
    •  
   
  • R980 PSN
       UP
    •  
   
  • RA10 PSN
       UP
    •  
  
 
 
 

 









Rate this page:



(0 users)Average rating 





















	
	
	
	
	









	



























Copyright and trademark information



	
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.































Rate this page:






(0 users)Average rating









Add comments














Document information





	
DB2 for Linux, UNIX and Windows


	




	
Software version:

	9.5

	





	
Reference #:

IC84752






Modified date:

2012-12-19








Translate my page














































 



Content navigation